npm - @iqauth/sdk - Versions diffs - 2.0.0 - Mend

@iqauth/sdk 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (112) hide show

package/LICENSE +21 -0
package/README.md +287 -0
package/dist/browser-session.d.mts +12 -0
package/dist/browser-session.d.ts +12 -0
package/dist/browser-session.js +1812 -0
package/dist/browser-session.mjs +28 -0
package/dist/browser.d.mts +46 -0
package/dist/browser.d.ts +46 -0
package/dist/browser.js +768 -0
package/dist/browser.mjs +47 -0
package/dist/chunk-5HF3OBNO.mjs +189 -0
package/dist/chunk-5WFR6Y33.mjs +59 -0
package/dist/chunk-6I6RM4MN.mjs +51 -0
package/dist/chunk-73R6BEGO.mjs +176 -0
package/dist/chunk-E46DKOVI.mjs +632 -0
package/dist/chunk-JQWYIIIS.mjs +1740 -0
package/dist/chunk-X3K3WOBR.mjs +64 -0
package/dist/chunk-Y6FXYEAI.mjs +10 -0
package/dist/cli/index.d.mts +1 -0
package/dist/cli/index.d.ts +1 -0
package/dist/cli/index.js +581 -0
package/dist/cli/index.mjs +57 -0
package/dist/client-C1DXfB8Z.d.mts +911 -0
package/dist/client-CggvJmmm.d.ts +911 -0
package/dist/dev-FUTJZSWN.mjs +56 -0
package/dist/doctor-OHJRZBBT.mjs +89 -0
package/dist/errors-CDdl24MP.d.mts +52 -0
package/dist/errors-CDdl24MP.d.ts +52 -0
package/dist/express-BKAXB5Nl.d.ts +61 -0
package/dist/express-CpfyYTmw.d.mts +61 -0
package/dist/express.d.mts +45 -0
package/dist/express.d.ts +45 -0
package/dist/express.js +2252 -0
package/dist/express.mjs +122 -0
package/dist/fastify.d.mts +23 -0
package/dist/fastify.d.ts +23 -0
package/dist/fastify.js +2062 -0
package/dist/fastify.mjs +118 -0
package/dist/hono.d.mts +22 -0
package/dist/hono.d.ts +22 -0
package/dist/hono.js +2051 -0
package/dist/hono.mjs +107 -0
package/dist/index.d.mts +6 -0
package/dist/index.d.ts +6 -0
package/dist/index.js +2070 -0
package/dist/index.mjs +83 -0
package/dist/init-LLCSQGNL.mjs +198 -0
package/dist/keys-NLWFAOEM.mjs +63 -0
package/dist/mobile.d.mts +11 -0
package/dist/mobile.d.ts +11 -0
package/dist/mobile.js +1809 -0
package/dist/mobile.mjs +25 -0
package/dist/next.d.mts +37 -0
package/dist/next.d.ts +37 -0
package/dist/next.js +2078 -0
package/dist/next.mjs +130 -0
package/dist/publishableKey-B5DIK81A.d.mts +24 -0
package/dist/publishableKey-B5DIK81A.d.ts +24 -0
package/dist/react.d.mts +196 -0
package/dist/react.d.ts +196 -0
package/dist/react.js +1457 -0
package/dist/react.mjs +787 -0
package/dist/server/handlers.d.mts +96 -0
package/dist/server/handlers.d.ts +96 -0
package/dist/server/handlers.js +243 -0
package/dist/server/handlers.mjs +14 -0
package/dist/server.d.mts +14 -0
package/dist/server.d.ts +14 -0
package/dist/server.js +2195 -0
package/dist/server.mjs +47 -0
package/dist/service.d.mts +11 -0
package/dist/service.d.ts +11 -0
package/dist/service.js +1809 -0
package/dist/service.mjs +25 -0
package/dist/signIn-C8f6qVjD.d.mts +238 -0
package/dist/signIn-Cy2lbEXb.d.ts +238 -0
package/dist/types-Cxl3bQHt.d.mts +900 -0
package/dist/types-Cxl3bQHt.d.ts +900 -0
package/docs/APP_INTEGRATION_MATRIX.md +59 -0
package/docs/BROWSER_SESSION_MIGRATION.md +69 -0
package/docs/FRESH_IMPLEMENTATION_GUIDE.md +188 -0
package/docs/TARBALL_RELEASE_WORKFLOW.md +98 -0
package/docs/V1_TO_V2_UPGRADE_GUIDE.md +318 -0
package/docs/guides/api-keys.md +130 -0
package/docs/guides/app-registration.md +149 -0
package/docs/guides/auth-flows.md +168 -0
package/docs/guides/branding.md +160 -0
package/docs/guides/entitlements.md +115 -0
package/docs/guides/entity-hierarchy.md +200 -0
package/docs/guides/error-handling.md +251 -0
package/docs/guides/gdpr-compliance.md +123 -0
package/docs/guides/invitations.md +143 -0
package/docs/guides/mfa-enrollment.md +170 -0
package/docs/guides/middleware-reference.md +205 -0
package/docs/guides/mobile-native.md +110 -0
package/docs/guides/roles-and-permissions.md +220 -0
package/docs/guides/scoped-authorization.md +247 -0
package/docs/guides/server-platform-integration.md +52 -0
package/docs/guides/service-automation-integration.md +36 -0
package/docs/guides/session-management.md +97 -0
package/docs/guides/tenant-management.md +216 -0
package/docs/guides/token-verification.md +178 -0
package/docs/guides/user-management.md +184 -0
package/docs/guides/webhooks.md +136 -0
package/docs/integration-prompts/README.md +20 -0
package/docs/integration-prompts/first-party-browser-app.md +29 -0
package/docs/integration-prompts/install-from-tarball.md +41 -0
package/docs/integration-prompts/migrate-from-local-packages-source.md +57 -0
package/docs/integration-prompts/native-mobile-app.md +24 -0
package/docs/integration-prompts/server-platform-app.md +20 -0
package/docs/integration-prompts/service-automation-app.md +20 -0
package/package.json +115 -0

package/dist/types-Cxl3bQHt.d.ts ADDED Viewed

@@ -0,0 +1,900 @@
+/**
+ * SOURCE REFS:
+ * - Route file: src/types/index.ts (JwtPayload, MfaChallengeTokenPayload, TenantSelectionTokenPayload, ApiSuccessResponse, ApiErrorResponse)
+ * - Route file: src/lib/response.ts (ApiResponse envelope shape)
+ * - Verified claims: sub, email, name, tenantId, vendorId, roles, entitlements, sessionId, jti, iss, aud, exp, iat, scopeContext, loginMethod
+ * - Last verified: Phase 0 Research Summary
+ */
+type IQAuthEnvironment = "server" | "mobile" | "browser_session" | "service";
+interface IQAuthRetryConfig {
+    /** Maximum number of HTTP attempts including the initial one. Default 3. */
+    maxAttempts?: number;
+    /** Initial backoff delay in milliseconds. Default 100. */
+    baseDelayMs?: number;
+    /** Cap for any individual backoff delay in milliseconds. Default 2000. */
+    maxDelayMs?: number;
+}
+interface IQAuthVerifyConfig {
+    /** Expected `iss` claim. Defaults to "auth.dispositioniq.com". */
+    issuer?: string | string[];
+    /** Expected `aud` claim. Defaults to the IQ product audience list. */
+    audience?: string | string[];
+    /** Allowed clock skew in seconds when checking exp/nbf. Default 30. */
+    clockTolerance?: number;
+}
+interface IQAuthClientConfigBase {
+    baseUrl: string;
+    environment?: IQAuthEnvironment;
+    sessionHeaderName?: string;
+    sessionHeaderValue?: string;
+    /** Token verification defaults applied by `client.tokens.verify`. */
+    verify?: IQAuthVerifyConfig;
+    /** HTTP retry behavior for transient failures (network errors, 429, 5xx). */
+    retry?: IQAuthRetryConfig;
+}
+interface IQAuthTokenClientConfig extends IQAuthClientConfigBase {
+    apiKey?: string;
+    accessToken?: string;
+    refreshToken?: string;
+    autoRefresh?: boolean;
+    onTokenRefresh?: (tokens: TokenPair) => void;
+}
+interface IQAuthBrowserSessionClientConfig extends IQAuthClientConfigBase {
+    environment: "browser_session";
+}
+type IQAuthClientConfig = IQAuthTokenClientConfig | IQAuthBrowserSessionClientConfig;
+interface TokenPair {
+    accessToken: string;
+    refreshToken: string;
+}
+interface ScopeContext {
+    type: string;
+    id: string;
+    role: string;
+    membershipId: string;
+}
+interface JwtClaims {
+    sub: string;
+    email: string;
+    name: string;
+    tenantId: string;
+    vendorId: string | null;
+    roles: string[];
+    entitlements: string[];
+    sessionId: string;
+    jti: string;
+    iss: string;
+    aud: string[];
+    exp?: number;
+    iat?: number;
+    scopeContext?: ScopeContext;
+    loginMethod?: string;
+}
+interface UserProfile {
+    id: string;
+    email: string;
+    name: string;
+    picture?: string | null;
+    isActive: boolean;
+    tenantId?: string;
+    vendorId?: string | null;
+    roles?: string[];
+    isDemoAccount?: boolean;
+    createdAt?: string;
+    updatedAt?: string;
+    googleId?: string | null;
+    mustChangePassword?: boolean;
+    passwordExpiresAt?: string | null;
+    passwordChangedAt?: string | null;
+    externalId?: string | null;
+}
+interface SessionUser {
+    sub: string;
+    email: string;
+    name: string;
+    tenantId?: string;
+    vendorId?: string | null;
+    roles: string[];
+    entitlements: string[];
+}
+interface Tenant {
+    tenantId: string;
+    tenantName?: string | null;
+    tenantSlug?: string | null;
+    roles: string[];
+}
+interface SignupRequest {
+    email: string;
+    name: string;
+    password: string;
+    tenantSlug?: string;
+    tenantId?: string;
+}
+interface TokenAuthenticatedLoginResult {
+    status: "authenticated";
+    authMode: "token";
+    tokens: TokenPair;
+    user: UserProfile;
+}
+interface SessionAuthenticatedLoginResult {
+    status: "authenticated";
+    authMode: "session";
+    user: SessionUser;
+}
+type LoginResult = TokenAuthenticatedLoginResult | SessionAuthenticatedLoginResult | {
+    status: "mfa_required";
+    mfaChallengeToken: string;
+    availableMethods: string[];
+} | {
+    status: "tenant_selection";
+    tenantSelectionToken: string;
+    tenants: Tenant[];
+};
+interface Session {
+    id: string;
+    userId: string;
+    tenantId: string;
+    ipAddress: string;
+    userAgent: string;
+    deviceFingerprint?: string;
+    isActive: boolean;
+    createdAt: string;
+    lastSeenAt?: string;
+    expiresAt: string;
+    terminatedAt?: string | null;
+    terminationReason?: string | null;
+    loginMethod?: string;
+    originHost?: string | null;
+}
+interface TenantInfo {
+    id: string;
+    name: string;
+    slug: string;
+    plan?: string;
+    isActive?: boolean;
+    vendorId?: string | null;
+    vendorName?: string | null;
+    allowedDomains?: string[] | null;
+    autoProvisionRole?: string | null;
+    enableScopedAuth?: boolean;
+    createdAt?: string;
+    updatedAt?: string;
+}
+interface CreateTenantRequest {
+    name: string;
+    slug: string;
+    vendorId?: string;
+    allowedDomains?: string[];
+    autoProvisionRole?: string;
+    plan?: string;
+}
+interface UpdateTenantRequest {
+    name?: string;
+    slug?: string;
+    vendorId?: string | null;
+    allowedDomains?: string[];
+    autoProvisionRole?: string;
+    plan?: string;
+    isActive?: boolean;
+    enableScopedAuth?: boolean;
+}
+interface PromoteToVendorRequest {
+    platformTenantId: string;
+}
+interface PromoteToVendorResult {
+    message: string;
+    vendorId: string;
+    vendorSlug: string;
+    platformTenantId: string;
+}
+interface InviteTenantUserRequest {
+    email: string;
+    role: string;
+    products?: string[];
+    vendorId?: string;
+}
+interface InviteTenantUserResult {
+    invitation: Invitation;
+    inviteToken?: string;
+    warning?: string;
+}
+interface TenantUserRoleUpdate {
+    tenantUserId: string;
+    userId: string;
+    role: string;
+}
+interface MigrateUserRequest {
+    targetTenantId: string;
+    role: string;
+}
+interface BrandingConfig {
+    id?: string;
+    vendorId: string;
+    tenantId: string;
+    primaryColor?: string;
+    secondaryColor?: string;
+    accentColor?: string;
+    logoUrl?: string | null;
+    logoDarkUrl?: string | null;
+    faviconUrl?: string | null;
+    heroImageUrl?: string | null;
+    brandName?: string;
+    loginHeadline?: string | null;
+    loginSubheadline?: string | null;
+    companyName?: string;
+    headline?: string | null;
+    subheadline?: string | null;
+    supportEmail?: string;
+    supportUrl?: string | null;
+    termsUrl?: string | null;
+    privacyUrl?: string | null;
+    isPublished?: boolean;
+    publishedAt?: string | null;
+}
+interface UpdateBrandingRequest {
+    primaryColor?: string;
+    secondaryColor?: string;
+    accentColor?: string;
+    brandName?: string;
+    loginHeadline?: string;
+    loginSubheadline?: string;
+    companyName?: string;
+    headline?: string;
+    subheadline?: string;
+    logoUrl?: string | null;
+    logoDarkUrl?: string | null;
+    faviconUrl?: string | null;
+    heroImageUrl?: string | null;
+    supportEmail?: string;
+    supportUrl?: string;
+    termsUrl?: string;
+    privacyUrl?: string;
+}
+interface BrandingAsset {
+    id: string;
+    vendorId: string;
+    tenantId: string;
+    filename: string;
+    originalFilename?: string;
+    mimeType: string;
+    url?: string;
+    publicUrl?: string;
+    fileSize?: number;
+    purpose?: string;
+    createdAt?: string;
+}
+interface UploadAssetRequest {
+    filename: string;
+    mimeType: string;
+    data: string;
+    purpose?: string;
+}
+interface BrandingDomainMapping {
+    id: string;
+    vendorId: string;
+    tenantId: string;
+    domain: string;
+    createdAt?: string;
+}
+interface OidcDiscovery {
+    issuer: string;
+    authorization_endpoint: string;
+    token_endpoint: string;
+    userinfo_endpoint: string;
+    jwks_uri: string;
+    scopes_supported: string[];
+    response_types_supported: string[];
+    response_modes_supported: string[];
+    grant_types_supported: string[];
+    subject_types_supported: string[];
+    id_token_signing_alg_values_supported: string[];
+    token_endpoint_auth_methods_supported: string[];
+    claims_supported: string[];
+    code_challenge_methods_supported: string[];
+    registration_endpoint?: string;
+}
+interface JwksKey {
+    kty: string;
+    use: string;
+    alg: string;
+    kid: string;
+    n: string;
+    e: string;
+}
+interface JwksResponse {
+    keys: JwksKey[];
+}
+interface OidcTokenResponse {
+    access_token: string;
+    token_type: string;
+    expires_in: number;
+    refresh_token: string;
+    id_token?: string;
+}
+interface HostedClientContext {
+    clientId: string;
+    clientName: string;
+    tenantId: string | null;
+    tenantName: string | null;
+    tenantSlug: string | null;
+    signupAllowed: boolean;
+    googleAvailable: boolean;
+    passwordLoginEnabled: boolean;
+    loginMethods: string[];
+    providerDisplayOrder: string[];
+    helpText: string | null;
+    supportUrl: string | null;
+}
+interface ApiSuccessResponse<T = unknown> {
+    success: true;
+    data: T;
+}
+interface ApiErrorResponse {
+    success: false;
+    error: {
+        code: string;
+        message: string;
+    };
+}
+type ApiResponse<T = unknown> = ApiSuccessResponse<T> | ApiErrorResponse;
+interface MfaMethod {
+    method: string;
+}
+interface MfaEnrollment {
+    id: string;
+    method: string;
+    isPrimary?: boolean;
+}
+interface TotpEnrollmentResult {
+    secret: string;
+    qrCodeUri: string;
+    qrCodeDataUrl: string;
+}
+interface TokenAuthenticatedMfaVerifyResult {
+    authMode: "token";
+    tokens: TokenPair;
+    user: UserProfile;
+    remainingBackupCodes?: number;
+    warning?: string;
+}
+interface SessionAuthenticatedMfaVerifyResult {
+    authMode: "session";
+    user: SessionUser;
+    remainingBackupCodes?: number;
+    warning?: string;
+}
+type MfaVerifyResult = TokenAuthenticatedMfaVerifyResult | SessionAuthenticatedMfaVerifyResult;
+interface PasswordPolicy {
+    minLength?: number;
+    maxAgeDays?: number;
+    reuseCount?: number;
+    maxFailedAttempts?: number;
+    lockoutDurationMinutes?: number;
+}
+interface MfaPolicy {
+    role: string;
+    required: boolean;
+    methods?: string[];
+}
+interface UserPermissions {
+    [key: string]: unknown;
+}
+interface ProvisionUserRequest {
+    email: string;
+    name: string;
+    role: string;
+    vendorId?: string;
+    isActive?: boolean;
+    externalId?: string;
+}
+interface ProvisionUserResponse {
+    userId: string;
+    email: string;
+    tenantId: string;
+    role: string;
+    vendorId: string | null;
+}
+interface PermissionNodeManifest {
+    key: string;
+    label: string;
+    description?: string;
+    metadata?: Record<string, unknown>;
+    children?: PermissionNodeManifest[];
+}
+interface AppManifest {
+    key: string;
+    name: string;
+    description?: string;
+    version: string;
+    tenantId?: string | null;
+    metadata?: Record<string, unknown>;
+    permissions: PermissionNodeManifest[];
+}
+interface AppInfo {
+    id: string;
+    key: string;
+    name: string;
+    description?: string | null;
+    version: string;
+    tenantId?: string | null;
+    metadata?: Record<string, unknown>;
+    createdAt?: string;
+    updatedAt?: string;
+}
+interface PermissionNodeInfo {
+    id: string;
+    appId: string;
+    parentId: string | null;
+    key: string;
+    label: string;
+    description?: string | null;
+    version: string;
+    metadata?: Record<string, unknown>;
+    createdAt?: string;
+    updatedAt?: string;
+}
+interface AppSyncResult {
+    appId: string;
+    nodesUpserted: number;
+}
+interface IQAuthRequestLike {
+    headers?: {
+        authorization?: string | string[] | undefined;
+        [key: string]: unknown;
+    };
+    auth?: JwtClaims;
+    [key: string]: unknown;
+}
+interface IQAuthResponseLike {
+    status(code: number): IQAuthResponseLike;
+    json(body: unknown): IQAuthResponseLike;
+}
+type IQAuthNextFunction = (err?: unknown) => void;
+interface ExpressMiddlewareOptions {
+    requireAuth?: boolean;
+    requiredRoles?: string[];
+    requiredEntitlements?: string[];
+    onUnauthorized?: (res: IQAuthResponseLike, reason: string) => void;
+    onForbidden?: (res: IQAuthResponseLike, reason: string) => void;
+    /**
+     * Receives unexpected (non-IQAuthError) errors thrown during verification so
+     * callers can log/report them. The original message is never sent to the
+     * client; clients only see a generic INTERNAL_ERROR response.
+     */
+    onError?: (err: unknown) => void;
+}
+interface Role {
+    id: string;
+    name: string;
+    tenantId: string | null;
+    description?: string | null;
+    hierarchyLevel: number;
+    isSystem: boolean;
+    allowedScopeTypes?: string[] | null;
+    createdAt?: string;
+    updatedAt?: string;
+}
+interface CreateRoleRequest {
+    name: string;
+    description?: string;
+    hierarchyLevel: number;
+}
+interface UpdateRoleRequest {
+    description?: string;
+    hierarchyLevel?: number;
+}
+interface AssignRoleRequest {
+    roleName: string;
+    scopeType?: string;
+    scopeId?: string;
+}
+interface UserRoleAssignment {
+    id: string;
+    userId: string;
+    tenantId: string;
+    roleId: string;
+    assignedAt: string;
+    assignedBy: string | null;
+}
+interface UserGroupAssignment {
+    id: string;
+    userId: string;
+    groupId: string;
+    tenantId: string;
+    assignedAt: string;
+    assignedBy: string | null;
+}
+interface TenantUser {
+    id: string;
+    tenantId: string;
+    userId: string;
+    vendorId: string | null;
+    joinedAt: string;
+    invitedBy: string | null;
+    isActive: boolean;
+    failedLoginAttempts: number;
+    lockedUntil: string | null;
+    pinFailedAttempts: number;
+    pinLockedUntil: string | null;
+    deactivatedAt: string | null;
+    deactivatedBy: string | null;
+    metadata: Record<string, unknown>;
+}
+interface PermissionGroup {
+    id: string;
+    tenantId: string;
+    name: string;
+    description?: string | null;
+    createdAt?: string;
+    updatedAt?: string;
+}
+interface GroupPermission {
+    id: string;
+    groupId: string;
+    product: string;
+    scope: string;
+    effect: string;
+    weight?: number | null;
+    appKey?: string | null;
+    nodeKey?: string | null;
+    createdAt?: string;
+}
+interface AddGroupPermissionRequest {
+    product?: string;
+    scope?: string;
+    effect: string;
+    weight?: number;
+    appKey?: string;
+    nodeKey?: string;
+}
+interface InheritanceRelation {
+    id: string;
+    groupId: string;
+    inheritsFromGroupId: string;
+}
+interface UserPermissionOverride {
+    id: string;
+    userId: string;
+    tenantId: string;
+    product: string;
+    scope: string;
+    effect: string;
+    weight?: number | null;
+    expiresAt?: string | null;
+    createdAt?: string;
+}
+interface AddUserOverrideRequest {
+    product?: string;
+    scope?: string;
+    effect: string;
+    weight?: number;
+    expiresAt?: string;
+    appKey?: string;
+    nodeKey?: string;
+}
+interface EffectivePermission {
+    scope: string;
+    effect: string;
+    weight: number;
+    source: string;
+    permissionNodeId: string | null;
+}
+interface PermissionCheckResult {
+    allowed: boolean;
+    appKey: string;
+    nodeKey: string;
+}
+interface ApiKeyInfo {
+    id: string;
+    name: string;
+    tenantId: string;
+    prefix?: string;
+    scopes: string[];
+    createdBy: string;
+    isActive: boolean;
+    expiresAt?: string | null;
+    lastUsedAt?: string | null;
+    createdAt?: string;
+}
+interface CreateApiKeyRequest {
+    name: string;
+    scopes?: string[];
+    expiresAt?: string;
+    tenantId?: string;
+}
+interface CreateApiKeyResult {
+    key: ApiKeyInfo;
+    rawKey: string;
+}
+interface ApiKeyIntrospection {
+    tenantId: string;
+    scopes: string[];
+    name: string;
+    [key: string]: unknown;
+}
+interface Invitation {
+    id: string;
+    email: string;
+    tenantId: string;
+    vendorId?: string | null;
+    role: string;
+    products?: string[];
+    status: string;
+    invitedBy: string;
+    expiresAt?: string;
+    createdAt?: string;
+}
+interface CreateInviteRequest {
+    email: string;
+    tenantId: string;
+    vendorId?: string;
+    role: string;
+    products?: string[];
+}
+interface InviteValidation {
+    valid: boolean;
+    email?: string;
+    role?: string;
+}
+interface AcceptInviteRequest {
+    password?: string;
+    name?: string;
+    googleId?: string;
+}
+interface WebhookEndpoint {
+    id: string;
+    tenantId: string;
+    url: string;
+    events: string[];
+    isActive: boolean;
+    createdBy: string;
+    createdAt?: string;
+}
+interface CreateWebhookRequest {
+    url: string;
+    events: string[];
+}
+interface CreateWebhookResult {
+    endpoint: WebhookEndpoint;
+    secret: string;
+}
+interface WebhookDelivery {
+    id: string;
+    endpointId?: string;
+    webhookEndpointId?: string;
+    event?: string;
+    eventType?: string;
+    payload: unknown;
+    statusCode?: number | null;
+    responseStatus?: number | null;
+    response?: string | null;
+    responseBody?: string | null;
+    success?: boolean;
+    nextRetryAt?: string | null;
+    deliveredAt?: string;
+    createdAt?: string;
+}
+interface WebhookTestResult {
+    statusCode: number;
+    response?: string;
+    [key: string]: unknown;
+}
+interface Entitlement {
+    id: string;
+    tenantId: string;
+    product: string;
+    grantedBy: string;
+    expiresAt?: string | null;
+    createdAt?: string;
+}
+interface GrantEntitlementRequest {
+    product: string;
+    expiresAt?: string;
+}
+interface Vendor {
+    id: string;
+    tenantId: string;
+    name: string;
+    slug: string;
+    status: string;
+    metadata?: Record<string, unknown> | null;
+    createdAt?: string;
+    updatedAt?: string;
+}
+interface CreateVendorRequest {
+    name: string;
+    slug?: string;
+    status?: string;
+    metadata?: Record<string, unknown>;
+}
+interface UpdateVendorRequest {
+    name?: string;
+    slug?: string;
+    status?: string;
+    metadata?: Record<string, unknown>;
+}
+interface Source {
+    id: string;
+    vendorId?: string;
+    tenantId: string;
+    name: string;
+    slug: string;
+    status: string;
+    metadata?: Record<string, unknown> | null;
+    createdAt?: string;
+    updatedAt?: string;
+}
+interface CreateSourceRequest {
+    name: string;
+    slug?: string;
+    status?: string;
+    metadata?: Record<string, unknown>;
+}
+interface UpdateSourceRequest {
+    name?: string;
+    slug?: string;
+    status?: string;
+    metadata?: Record<string, unknown>;
+}
+interface Client {
+    id: string;
+    sourceId?: string;
+    tenantId: string;
+    name: string;
+    slug: string;
+    clientType?: string | null;
+    status: string;
+    metadata?: Record<string, unknown> | null;
+    createdAt?: string;
+    updatedAt?: string;
+}
+interface CreateClientRequest {
+    name: string;
+    slug?: string;
+    clientType?: string;
+    status?: string;
+    metadata?: Record<string, unknown>;
+}
+interface UpdateClientRequest {
+    name?: string;
+    slug?: string;
+    clientType?: string;
+    status?: string;
+    metadata?: Record<string, unknown>;
+}
+interface HierarchyVendor extends Vendor {
+    sources: HierarchySource[];
+    linkedSourceCount: number;
+}
+interface HierarchySource extends Source {
+    clients: HierarchyClient[];
+    linkedVendorCount: number;
+    linkedClientCount: number;
+}
+interface HierarchyClient extends Client {
+    linkedSourceCount: number;
+}
+interface HierarchyLink {
+    vendorId?: string;
+    sourceId?: string;
+    clientId?: string;
+}
+interface Membership {
+    id: string;
+    userId: string;
+    tenantId: string;
+    roleId: string;
+    scopeType: string;
+    scopeId: string;
+    isActive: boolean;
+    assignedBy: string;
+    expiresAt?: string | null;
+    metadata?: Record<string, unknown> | null;
+    createdAt?: string;
+}
+interface CreateMembershipRequest {
+    userId: string;
+    roleName: string;
+    scopeType: string;
+    scopeId: string;
+}
+interface UpdateMembershipRequest {
+    expiresAt?: string | null;
+    metadata?: Record<string, unknown>;
+}
+interface MembershipWithDetails extends Membership {
+    roleName?: string;
+    scopeEntityName?: string;
+    [key: string]: unknown;
+}
+interface ScopeTreeClient {
+    id: string;
+    name: string;
+    role: string;
+    grantedVia: string;
+}
+interface ScopeTreeSource {
+    id: string;
+    name: string;
+    role: string;
+    grantedVia: string;
+    clients: ScopeTreeClient[];
+    linkedVendorCount: number;
+}
+interface ScopeTreeVendor {
+    id: string;
+    name: string;
+    role: string;
+    grantedVia: string;
+    sources: ScopeTreeSource[];
+    linkedSourceCount: number;
+}
+interface AvailableScopesTree {
+    tenant: {
+        id: string;
+        name: string;
+        role: string;
+    } | null;
+    vendors: ScopeTreeVendor[];
+    sources: ScopeTreeSource[];
+    clients: ScopeTreeClient[];
+}
+interface ScopeSwitchResult {
+    accessToken: string;
+    scopeContext: ScopeContext;
+}
+interface GdprExportData {
+    exportedAt: string;
+    user: Record<string, unknown>;
+    memberships: Record<string, unknown>[];
+    sessions: Record<string, unknown>[];
+    linkedAccounts: Record<string, unknown>[];
+    mfaEnrollments: Record<string, unknown>[];
+    auditLog: Record<string, unknown>[];
+}
+interface PinStatus {
+    hasPin: boolean;
+    pinPolicy: {
+        minLength: number;
+        maxLength: number;
+    };
+    [key: string]: unknown;
+}
+interface PinLoginResult {
+    type: "success" | "mfa_required" | "tenant_selection";
+    accessToken?: string;
+    refreshToken?: string;
+    user?: UserProfile;
+    mfaChallengeToken?: string;
+    availableMethods?: string[];
+    tenantSelectionToken?: string;
+    tenants?: Tenant[];
+}
+interface MfaAvailableMethods {
+    available: string[];
+}
+interface TotpEnrollResult {
+    secret: string;
+    qrCodeUri: string;
+    qrCodeDataUrl: string;
+}
+interface TotpVerifyResult {
+    enrollment: MfaEnrollment;
+    backupCodes: string[];
+    backupCodesWarning: string;
+}
+interface SmsEnrollResult {
+    sent: boolean;
+}
+interface EmailEnrollResult {
+    sent: boolean;
+}
+interface BackupCodesResult {
+    backupCodes: string[];
+    warning: string;
+}
+interface BackupCodeCountResult {
+    remainingBackupCodes: number;
+}
+export type { PermissionNodeInfo as $, ApiSuccessResponse as A, BrandingConfig as B, CreateTenantRequest as C, MfaVerifyResult as D, PasswordPolicy as E, MfaPolicy as F, UserPermissions as G, ProvisionUserRequest as H, IQAuthEnvironment as I, JwtClaims as J, ProvisionUserResponse as K, LoginResult as L, MigrateUserRequest as M, ExpressMiddlewareOptions as N, OidcDiscovery as O, PromoteToVendorRequest as P, IQAuthRequestLike as Q, IQAuthResponseLike as R, ScopeContext as S, TokenPair as T, UserProfile as U, IQAuthNextFunction as V, IQAuthRetryConfig as W, IQAuthVerifyConfig as X, PermissionNodeManifest as Y, AppManifest as Z, AppInfo as _, IQAuthClientConfig as a, SignupRequest as a$, AppSyncResult as a0, Role as a1, CreateRoleRequest as a2, UpdateRoleRequest as a3, AssignRoleRequest as a4, UserRoleAssignment as a5, UserGroupAssignment as a6, TenantUser as a7, PermissionGroup as a8, GroupPermission as a9, UpdateSourceRequest as aA, Client as aB, CreateClientRequest as aC, UpdateClientRequest as aD, HierarchyVendor as aE, HierarchySource as aF, HierarchyClient as aG, HierarchyLink as aH, Membership as aI, CreateMembershipRequest as aJ, UpdateMembershipRequest as aK, MembershipWithDetails as aL, AvailableScopesTree as aM, ScopeTreeClient as aN, ScopeTreeSource as aO, ScopeTreeVendor as aP, ScopeSwitchResult as aQ, GdprExportData as aR, PinStatus as aS, PinLoginResult as aT, MfaAvailableMethods as aU, TotpEnrollResult as aV, TotpVerifyResult as aW, SmsEnrollResult as aX, EmailEnrollResult as aY, BackupCodesResult as aZ, BackupCodeCountResult as a_, AddGroupPermissionRequest as aa, InheritanceRelation as ab, UserPermissionOverride as ac, AddUserOverrideRequest as ad, EffectivePermission as ae, PermissionCheckResult as af, ApiKeyInfo as ag, CreateApiKeyRequest as ah, CreateApiKeyResult as ai, ApiKeyIntrospection as aj, Invitation as ak, CreateInviteRequest as al, InviteValidation as am, AcceptInviteRequest as an, WebhookEndpoint as ao, CreateWebhookRequest as ap, CreateWebhookResult as aq, WebhookDelivery as ar, WebhookTestResult as as, Entitlement as at, GrantEntitlementRequest as au, Vendor as av, CreateVendorRequest as aw, UpdateVendorRequest as ax, Source as ay, CreateSourceRequest as az, IQAuthTokenClientConfig as b, HostedClientContext as b0, IQAuthBrowserSessionClientConfig as c, SessionUser as d, Tenant as e, TokenAuthenticatedLoginResult as f, SessionAuthenticatedLoginResult as g, Session as h, TenantInfo as i, UpdateTenantRequest as j, PromoteToVendorResult as k, InviteTenantUserRequest as l, InviteTenantUserResult as m, TenantUserRoleUpdate as n, UpdateBrandingRequest as o, BrandingAsset as p, UploadAssetRequest as q, BrandingDomainMapping as r, JwksKey as s, JwksResponse as t, OidcTokenResponse as u, ApiErrorResponse as v, ApiResponse as w, MfaMethod as x, MfaEnrollment as y, TotpEnrollmentResult as z };